Medical devices are becoming increasingly connected to the internet, hospital networks, and to other medical devices. Whilst this increased connectivity enables functionality that facilitates improved health care, this same functionality also expands the potential for cybersecurity risks.
In our topical article below, our Head of eHealth Paul Gardner outlines some key considerations regarding cybersecurity for connected medical devices, including advice for design & implementation, testing, and manufacture.
Medical devices, like other computer systems, can be vulnerable to security breaches which can potentially impact their safety and effectiveness. As threats and vulnerabilities cannot be fully eliminated, reducing cybersecurity risk is especially challenging. The health care environment is complex, and so manufacturers, health care providers, and facilities must work together to manage potential cybersecurity risks. Cybersecurity and maintaining data integrity are fundamental parts of any connected medical device development and need to be continuously managed throughout the product’s lifecycle.
Security threats need to be considered early in the development process. Security activities such as architecture review, threat modelling, application security testing, penetration testing, and risk management will help to reveal the potential vulnerabilities within your connected medical device.
Design and risk procedures must account for cybersecurity. The MDR outlines eight practices for managing the cybersecurity of your device:
While industry standards and best practices help with developing security requirements, you also need to consider the requirements of the product itself. This can be done with a threat modelling exercise, where you consider:
There are various methods available for threat modelling such as STRIDE and CVSS. For further information on these methods, take a look at the further reading section at the end of this article.
One of the key medical device security requirements is software integrity/authenticity and data confidentiality. Implementing these requirements is not possible without hardware support, so the first step when designing a product is to ensure that your chosen processor supports certain security features such as:
In order to reduce the risk of supply chain attacks, any brought-in source code should be designated as Software of Unknown Provenance (SOUP) and vetted accordingly.
As well as developing robust device security principles, ensuring the security of your code is an equally critical aspect of device security. Your coding guidelines need to include secure coding practices, and your code reviews should hold software developers accountable for security.
Security testing should be given careful consideration, and as with any other medical device testing, a plan should be created. Your Security Test Plan should outline your proposed testing methods that aim to support the cybersecurity of your device e.g., Security Testing Tools and Penetration Testing. Lastly, don’t overlook the security of your manufacturing process.
Securing your manufacturing process is the final step in building a thorough defence against cybersecurity threats, so any tools required to securely program devices, or to configure or provision devices need to be controlled.
Various laws have recently been passed to improve the cybersecurity of medical devices:
Americas | EMEA | APAC |
– 2021 Executive OrderH.R.1668: IoT – Cybersecurity Improvement Act – California SB-327 – Oregon HB 2395 (2019) | – European Cyber Security Act | – Singapore CLS (Cybersecurity Labelling Scheme) – Australia Code of Practice |
In the EU, cybersecurity of medical devices is considered part of the General Safety and Performance requirements (GSPR) of the Medical Device Regulation MDR 2017/745. In addition, the General Data Protection Regulation (GDPR) introduces certain data requirements and provides EU-residents with fundamental rights over their data its protection.
In the US, as part of the software validation and risk analysis required by 21 CFR 820.30(g), software device manufacturers need to establish a cybersecurity vulnerability and management approach. In addition, manufacturers and/or other entities, depending on the facts and circumstances, may be obligated to protect the confidentiality, integrity, and availability of patient information throughout the product lifecycle, in accordance with applicable federal and state laws, including the Health Information Portability and Accountability Act 487 (HIPAA).
In addition to the legislation, the following guidelines on medical device cybersecurity should be considered when developing a connected medical device:
EU:
US:
The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook outlines a framework for health delivery organisations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, to ensure the effectiveness of devices, and to protect patient safety.
And finally, the resources below provide more information on principles for medical device security and secure coding practices:
Should you have a cybersecurity-related challenge as part of your medical device project, our eHealth team is ready and happy to help. Simply get in touch to start the conversation.